Oracle Issues Monster Security Update

Seven of the 23 patches involve aspects of the company's flagship database, Oracle 10g, including fixes for the main server itself, Grid Control, Application Server, Collaboration Suite and Database Control products.

Oracle Corp. on Tuesday released its quarterly Critical Patch Update, closing 85 security vulnerabilities with 23 patches in its databases, servers and enterprise applications.
Oracle describes "critical patch update" as "a collection of patches for multiple security vulnerabilities. It also includes non-security fixes that are required (because of interdependencies) by those security patches."
Seven of the 23 patches involve aspects of the companys flagship database, Oracle 10g, including fixes for the main server itself, Grid Control, Application Server, Collaboration Suite and Database Control products.

Patches are also included for the Oracle 9i and Oracle 8i database servers.

PeopleSoft Enterprise Tools and PeopleSoft CRM also have new patches, as does JD Edwards EnterpriseOne/OneWorld XE.
The Oracle Database Server, Enterprise Manager, Oracle Application Server and Oracle Collaboration Suite patches in the Updates are cumulative, the company said. Each successive Critical Patch Update contains the fixes from the previous updates.
Oracle E-Business Suite/Applications patches are not cumulative, so E-Business Suite/Applications customers should refer to previous Critical Patch Updates to identify previous fixes they wish to apply, the company said.
As a matter of policy, Oracle does not provide additional information about the specifics of vulnerabilities beyond what is provided in the quarterly notification, the Pre-Installation notes, the readme files and FAQs.
Oracles quarterly patch releases are scheduled for January, April, July and October. They are released on the Tuesday closest to the 15th day of those months.
The following people discovered and brought security vulnerabilities addressed by this Critical Patch Update to Oracles attention: Brian Carr; Sacha Faust of S.P.I. Dynamics Inc.; Esteban Martínez Fayó of Application Security Inc.; Alexander Kornbrust of Red Database Security; Steven Kost of Integrigy Corp.; David Litchfield of NGSS Limited; and Noderat Ratty and Keigo Yamazaki of Little eArth Corp. Co., Ltd.
In a recent posting to a bug-tracking mailing list, Litchfield, managing director of NGS Software and a vocal Oracle security critic, complained that Oracle historically has been very slow in responding to reported vulnerabilitiesespecially in its database servers.
"Some of Oracles fixes simply attempt to stop the example exploits I sent them for reproduction purposes. In other words, the actual flaw was not addressed, and with a slight modification to the exploit, it works again. This shows a slapdash approach with no real consideration for fixing the actual problem itself," he wrote.
Litchfield said he had reported the broken fixes to Oracle in February this year.
"It is now October 2005 ... in all of this time, Oracle database servers have been easy to cracka fact Oracle is surely aware of," he wrote.
Database break-ins are becoming more attractive to hackers because enterprises are putting more data into digital form and online, analysts say.
"Absolutelyits like cracking the bank safe instead of mugging the customers as they walk out the door," Gartner security analyst Rich Mogull told Ziff Davis Internet via e-mail. "While its harder, the payoff is bigger. Look at the CardSystems case as an example of a big DB theft (we think, not all the details are out)."
Click here to read more about the CardSystems data breach.
Website break-ins and DOS (denial-of-service) attacks often get a lot of media coverage, but not as much is heard about database break-ins, because "they are less public and it takes a higher caliber of attack," Mogull said.
"If someone defaces your Web site, you know right away. If they copy a database, you might never know.
"Also, databases are usually better protected and less exposed to direct Internet attack, so the attacks themselves need to be more sophisticated. For example, we have SQL injection attacks where someone figures out how to embed SQL statements into an application (usually in a form field) and get results or make changes to the database in ways that should never happen. Its not nearly as easy as downloading the latest worm tool."
Mogull said that database security overall is "improving, but we still have a ways to go. Some of the problems are very hard to solve, such as better monitoring of [DBA] database administrator activity or better patch management.
"I think were doing a moderate job and relying a little too much on databases historically being deeper within the enterprise. Some examples of really bad practices are static passwords stored in clear text in applications and batch jobs, shared administrative accounts, no controls on DBA activity, etc. We can definitely be doing better," Mogull said.
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.

Chris Preimesberger was named Editor-in-Chief of Features & Analysis at eWEEK in November 2011. Previously he served eWEEK as Senior Writer, covering a range of IT sectors that include data center systems, cloud computing, storage, virtualization, green IT, e-discovery and IT governance. His blog, Storage Station, is considered a go-to information source. Chris won a national Folio Award for magazine writing in November 2011 for a cover story on Salesforce.com and CEO-founder Marc Benioff, and he has served as a judge for the SIIA Codie Awards since 2005. In previous IT journalism, Chris was a founding editor of both IT Manager's Journal and DevX.com and was managing editor of Software Development magazine. His diverse resume also includes: sportswriter for the Los Angeles Daily News, covering NCAA and NBA basketball, television critic for the Palo Alto Times Tribune, and Sports Information Director at Stanford University. He has served as a correspondent for The Associated Press, covering Stanford and NCAA tournament basketball, since 1983. He has covered a number of major events, including the 1984 Democratic National Convention, a Presidential press conference at the White House in 1993, the Emmy Awards (three times), two Rose Bowls, the Fiesta Bowl, several NCAA men's and women's basketball tournaments, a Formula One Grand Prix auto race, a heavyweight boxing championship bout (Ali vs. Spinks, 1978), and the 1985 Super Bowl. A 1975 graduate of Pepperdine University in Malibu, Calif., Chris has won more than a dozen regional and national awards for his work. He and his wife, Rebecca, have four children and reside in Redwood City, Calif.Follow on Twitter: editingwhiz